Creating an IAM Policy to Access Amazon S3 Resources

Aurora can access Amazon S3 resources to either load data to or save data from an
Aurora DB cluster. However, you must first create an IAM policy that provides the
bucket and object permissions that allow Aurora to access Amazon S3.

The following table lists the Aurora features that can access an Amazon S3 bucket
on your behalf, and the minimum required bucket and object permissions required by
each feature.

Feature

Bucket Permissions

Object Permissions

LOAD DATA FROM S3

ListBucket

GetObject

GetObjectVersion

LOAD XML FROM S3

ListBucket

GetObject

GetObjectVersion

SELECT INTO OUTFILE S3

ListBucket

AbortMultipartUpload

DeleteObject

GetObject

ListMultipartUploadParts

PutObject

You can use the following steps to create an IAM policy that provides the minimum
required permissions for Aurora to access an Amazon S3 bucket on your behalf. To allow
Aurora to access all of your Amazon S3 buckets, you can skip these steps and use either
the AmazonS3ReadOnlyAccess or AmazonS3FullAccess
predefined IAM policy instead of creating your own.

On the Visual editor tab, choose Choose a service,
and then choose S3.

Choose Expand all under Actions and then choose the bucket
permissions and object permissions needed for the IAM policy.

Object permissions are permissions for object operations in Amazon S3, and
need to be granted for objects in a bucket, not the bucket
itself. For more information about permissions for object operations
in Amazon S3, see Permissions for Object Operations.

Choose Resources and choose Add ARN for bucket.

In the Add ARN(s) dialog box, provide the details
about your resource, and choose Add.

Specify the Amazon S3 bucket to allow access to.
For instance, if you want to allow Aurora to access the Amazon S3 bucket named
example-bucket, then set the ARN value to
arn:aws:s3:::example-bucket.

If the object resource is listed, choose Add ARN for object.

In the Add ARN(s) dialog box, provide the details
about your resource.

For the Amazon S3 bucket, specify the Amazon S3 bucket to allow access to.
For the object, you can choose Any to grant permissions to
any object in the bucket.

Note

You can set Amazon Resource Name (ARN) to a more
specific ARN value in order to allow Aurora to access only specific files
or folders in an Amazon S3 bucket. For more information about how to define
an access policy for Amazon S3, see Managing Access Permissions
to Your Amazon S3 Resources.

Optionally, choose Add additional permissions to add another Amazon S3 bucket
to the policy, and repeat the previous steps for the bucket.

Note

You can repeat this to add corresponding
bucket permission statements to your policy for each Amazon S3 bucket
that you want Aurora to access. Optionally, you can also grant access
to all buckets and objects in Amazon S3.

Choose Review policy.

Set Name to a name for your IAM policy, for
example AllowAuroraToExampleBucket. You use this name when you
create an IAM role to associate with your Aurora DB cluster. You can also add
an optional Description value.